﻿\chapter{Appendices}


\section{Appendix A : Most popular target of the rootkits}
\label{app:popularTarget}


	\begin{figure}
	\begin{center}
	\caption{``Features of example Linux kernel-modifying rootkits. \emph{Extracted from \cite{copilot}} " \label{fig:copilotRootkits}}		
	\includegraphics[width=6in]{images/copilotRootkits.png}
	\end{center}
	\end{figure}
	
The authors of the Copilot paper have claimed that system call table is the most popular target of rootkits \cite{copilot}. They have showed it using figure \ref{fig:copilotRootkits}. 


\emph{Below is a extract from their paper about the figure \ref{fig:copilotRootkits}.}


The remaining columns of figure \ref{fig:copilotRootkits} show that the example rootkits use a variety of means to cause the kernel to execute their code. Nearly all of them overwrite the addresses of some of the kernel’s system call handling functions in the system call table with the addresses of their own doctored system call handling functions. This act of system call interposition causes the kernel to execute the rootkit’s doctored system call handling functions rather than its own when a user program makes a system call.

\emph{Extracts from their paper about implementation and evaluation.}

The only kernel jump table hashed by the present version of the Copilot monitor is the host kernel’s system call vector – the most popular target of the rootkits. Although this presently limited coverage provides many opportunities for clever rootkits to pass unnoticed, it is sufficient to demonstrate that host kernel integrity monitoring is possible from a coprocessor on a PCI add-in card.

The present Copilot monitor prototype has successfully detected the presence of each of the rootkits listed in this table within 30 seconds of their being installed on the testbed host.










